Staff and families can find the most up to date information about the PowerSchool data breach below. This page includes links to communication that has been shared and new Frequently Asked Questions (FAQs) for staff and families.
To view recent PDF updates about this incident, please see the links at the bottom of this page. Click here.
To view our most recent media release(s) about this incident, please see the News feed at the bottom of our home page; click here.
To view PowerSchool's FAQ and information pertaining to the data breach, please click here.
Please contact us at [email protected] should you have questions that aren't answered by the information available on this page.
Frequently Asked Questions (FAQ) for PowerSchool Data Breach
Last updated: January 23, 2025
Q: Who is affected?
A: All KPDSB families who have/had students registered in our schools/programs from 2015 to December 28, 2024, are impacted by the breach. All KPDSB staff who have/had access to PowerSchool from 2015 to December 28, 2024, are also impacted.
Q: What is PowerSchool doing to support individuals impacted by the data breach?
A: The information below is directly from PowerSchool (January 23, 2025):
Identity Protection and Credit Monitoring Services: PowerSchool has engaged TransUnion and Experian, trusted credit reporting agencies, to offer two years of complimentary identity protection services for all students and educators whose information from our PowerSchool SIS was involved. This offer will also include two years of complimentary credit monitoring services for all students and educators whose information was involved and who have reached the age of majority. The offered credit monitoring services, which will be available for those who have reached the age of majority, will be provided by TransUnion; the offered identity protection services, which will be available for all involved students and educators, will be provided by Experian. Credit monitoring is being provided by TransUnion because Experian does not offer credit monitoring in Canada.
Notification to Individuals Involved: Starting in the next few weeks, in collaboration with TransUnion and Experian, PowerSchool will provide notice to students, parents / guardians and educators (as applicable) whose information was involved, as well as a phone number to answer any questions you may have about the incident. The notice will include the identity protection and credit monitoring services offer (as applicable).
As soon as PowerSchool learned of the incident, they engaged cybersecurity response protocols and mobilized senior leadership and third-party cybersecurity experts to conduct a forensic investigation of the scope of the incident and to monitor for signs of information misuse. PowerSchool is not aware of any identity theft attributable to this incident.
Q: What student data was accessed?
A: Our investigation has determined that a range of data was accessed. Our investigation has determined that the data accessed included:
- Student demographic information such as first name, last name, date of birth, student phone numbers, and mailing addresses.
- Ontario Education Numbers (OEN)
- Guardian Alerts/Notes (general information about who may pick a student up on a certain day, student’s preferred name, etc.)
- Basic student medical information for some KPDSB students, including details such as asthma, allergies, diabetes, or other medical conditions that were shared with your child’s school.
Q: What staff data was accessed?
A: The breach accessed limited staff work-related data, including names, email addresses (KPDSB emails), personal phone numbers and internal identification numbers. There are some staff mailing addresses that have been accessed through the breach. Those staff members will be contacted directly.
Q: What data was NOT accessed?
A: Our investigation has determined that the following were NOT compromised by the breach:
- KEV Software (School Cash Online)
- No Credit card information was accessed or exposed
- Employee Payroll Information was not affected and remains secure
- No Student Photos were compromised in the Breach
Q: Was financial information accessed?
A: No. Financial information was not accessed, as it is not stored in PowerSchool. This recent cybersecurity breach was limited to PowerSchool systems only.
Q: Were photos accessed?
A: No. Student and staff photos were not accessed in this incident.
Q: Can staff still use their PowerSchool Account?
A: Yes, you can continue to use your PowerSchool account as usual. The PowerSchool cybersecurity incident has not disrupted daily school operations or classroom instruction. PowerSchool has assured us that the incident has been contained and that additional security measures have been implemented to prevent future breaches.
Q: What can the data taken be used for?
A: The accessed data could potentially be used for identity theft, where personal details are misused to impersonate someone or commit fraud. It could also be used for phishing or social engineering, such as sending fake emails or messages designed to trick individuals into revealing sensitive information like passwords or financial details.
While no financial information, passwords, or personal documents were accessed in this incident, it is always important to monitor any digital accounts that you have to watch for activity that is not yours.
We advise being cautious with emails or messages that seem unfamiliar. Avoid clicking on unknown links and refrain from sharing personal details in response to unsolicited requests. We also recommend changing passwords regularly on your personal accounts.
Q: How did the data breach happen?
A: According to PowerSchool, the breach occurred after an unauthorized party used a compromised credential to gain access, affecting information from multiple school divisions worldwide, including KPDSB.
PowerSchool has assured us that the vulnerability has been identified and resolved. They have also implemented enhanced security measures to prevent similar incidents in the future.
Q: What measures are in place to protect against future breaches?
A: This was a PowerSchool breach. PowerSchool says it has strengthened its password policies and controls, including increasing the length and complexity of the passwords required of all employees.PowerSchool is working with CrowdStrike, a leading cybersecurity company, monitoring the internet for any potential misuse of data. We are also closely monitoring the situation.
KPDSB has Multi-Factor Authentication (MFA) enabled for all staff. MFA reduces the risk of account takeovers and provides additional security for users and their accounts.
Q: What should I watch out for to protect my information?
A: We recommend you always use the following practices to keep your accounts and information secure:
- Regularly check your email, online accounts, and social media accounts for any signs of unusual activity.
- Update all account passwords frequently, especially if any have been reused across different platforms.
- Use strong, unique passwords for every account, and consider using a password manager for enhanced security.
- Activate two-factor or Multi-Factor Authentication on any accounts where it’s available for extra protection.
Additionally, stay vigilant against phishing attempts. Be cautious of unfamiliar emails, calls, or messages that claim to be from legitimate organizations. Never click on suspicious links or share personal information without verifying the source. By always taking these precautions, you can help safeguard your accounts and reduce the risk of unauthorized access.
Contact us at [email protected] if you have additional questions.